Email is fast-paced and an essential part of work communication. It is also one of the biggest vectors for cyber threats. How can you sort the scams from legitimate emails?
With the increase in employees working from home, a comprehensive cyber security plan is imperative now more than ever. Remote access to your business’s network, especially from personal computers and devices, is a weak link in your cyber defenses. This makes the need for comprehensive employee training essential to your cyber security plan. One successful phishing attack combined with remote access can provide bad actors a direct path from your employee’s computer to your business.
Work from Home Safely
For many businesses that suddenly gained a remote workforce, employees are the first line of defense against cyber attacks. Employee education for phishing attacks and basic cyber security measures are essential tools in your business’s defense against a network breach.
Phishing in the Time of COVID-19
While cyber security education has improved employees’ ability to spot phishing attempts, the COVID-19 pandemic opened new avenues for bad actors to exploit in their phishing attacks. The tactics aren’t new. Bad actors continue to trick the distracted or unsuspecting into clicking a link or downloading an attachment, and they continue to target specific individuals for business email compromise (BEC) schemes.
What has changed are the lures used trick the recipient into action. Bad actors have shifted their message to capitalize on the uncertainty around the novel coronavirus. Emails spoofing health organizations such as the WHO and the CDC contain links or attachments that claim to contain information about the coronavirus pandemic. An employee who may know not to click on a random link sent to them in an email, even from a known contact, might not be so careful against a link purporting to inform them about updated COVID-19 news.
Train your employees to be skeptical of all emails or messages related to the COVID-19 pandemic. Most major organizations are not going to be directly emailing individuals. If an email claims to be from an official source, do not click the link, but rather go directly to the organization’s website. Any updated information or legitimate news will be posted there.
Put into place policies and procedures to protect against BEC schemes. Bad actors have tailored their messages to take advantage of the isolation of the remote workforce. BEC attacks rely on the recipient not verifying a request for funds or access with the person or company being impersonated, thus failing to discover that the transaction is illegitimate. Their new tactic to ensure this is to include a note that the requester can’t be contacted due to COVID-19 quarantine, or not to tell anyone so their stated COVID-19-positive status is not known publicly.
Every business should have policies that require all changes to account numbers or unplanned transactions to be verbally verified through known channels (not the email’s contact information) before being enacted. This simple policy reduces the chance of successful BEC attacks from happening in your company.
Bring Your Own Devices
Many businesses don’t have the capital to buy new hardware for their newly-remote workforce. This results in what is referred to as BYOD or Bring Your Own Device. With BYOD, employees use their personal computers or mobile devices to access company data, whether through VPN, web portal, remote desktop application, or software-specific application. This is a cost-efficient option for those working from home, but it comes with risks and can be difficult to secure if you’re not a trained IT professional.
No home network is going to be as secure as a properly set up office network with an enterprise-grade hardware firewall, but there are measures that your employees can take to strengthen their home defenses. Make it policy to ask these basic security questions before allowing employees to work from their personal computers:
- Do they have a router with WPA2 or higher password protection enabled?
- If they live with others, do they have their own password-protected profile on the computer?
- Are all passwords unique and meet your company’s password policy requirements?
- Can they work in a place where others cannot see company data?
- Can they limit browser extensions or use a separate browser for work to avoid data leakage?
- Is their computer operating system and anti-malware/virus software up to date?
- Have they been trained to identify problems with their computer systems that may indicate infection?
- Do they know who to call if they suspect their computer may be compromised while connected to your business network?
- Have they been trained on all work-from-home policies and procedures?
- Have they been trained in cyber security best practices, including how to spot phishing attempts and suspicious websites?
The computers may belong to your employees, but the data they’re accessing is your business. Make sure to reduce the risk of remote access as much as possible.
Training Is Key
The best defense against compromise is a comprehensive, on-going training plan for all employees. They can’t spot phishing if they don’t know how to identify it nor use strong passwords if they don’t know what’s secure. When employees work from home on less secure networks, it is even more important to ensure they are informed and prepared for any cyber security challenges that may arise. Annual training with cyber security professionals can keep you and your employees up to date on the trends in security threats and how to defend against them. Don’t wait until it’s too late to give your employees the information they need to protect your business.
A remote workforce is a weak link in your cyber defenses, but that doesn’t mean you can’t set it up as securely as possible. Verify security measures and provide the necessary training and policies to keep your employees and your business safe.
Over the past weeks, we’ve worked with many of you to add or increase your work-from-home capabilities as a result of the COVID-19 pandemic. This move not only helps keep our coworkers safe but also our families and the greater community. As our team burns the midnight oil to do our part, our thoughts and prayers go out to everyone affected by this international crisis.
To better assist your work-from-home goals, please be mindful of the dangers of and best practices for remote work.
While social distancing is critical, we must also recognize the risks a remote workforce poses and be vigilant to keep our systems secure. Remote work immediately increases the vulnerability of your company’s cyber security. Suddenly, we’re no longer at one office location with multi-layered security measures in place. Our surface of attack is exponentially spread into homes that aren’t equipped with enterprise-grade firewalls and onto personal computers that may already be compromised (studies estimate that 1/3 to 1/2 of home machines are).
Taking advantage of the interest and coverage of COVID-19, cyber criminals are using new tactics in their phishing and malware attacks. Fake coronavirus websites, often with legitimate information from trusted sources, are being created to spread malware. New phishing emails and clickbait links using similar messages are also spreading. Do not trust COVID-19-themed emails, even if they appear to come from governmental sources. If you receive one and think the information may be worth clicking, go instead to the organization’s website. Any official, legitimate updates will be included there.
Avoid falling victim to one of these scams. Follow basic phishing prevention as we’ve explained in our learn page and phishing quiz, and always go to official government sites for coronavirus information.
As with all phishing attempts, never open attachments or links in unsolicited emails. If you know the person who sent it, confirm with them that the email is legitimate first, preferably by means other than email as responses can be faked. When searching for coronavirus information, hover over the link before you click and make sure the URL matches the source it appears to be in search results.
Working from home presents unique challenges to the privacy of your work, but your company’s confidentiality policies and contracts remain in effect no matter where you are. This is especially important if you are subject to HIPAA or other governmental regulations. Keep up to date with all regulatory changes made to accommodate the novel coronavirus situation.
There are measures all remote workers should follow to protect the confidentiality and security of their work space while in a home environment.
- Always lock your screens when you step away from the computer to keep curious children (or pets) from wreaking unintentional havoc.
- Work in your own room or create a space away from other members of your household. The space should be isolated enough to avoid onlookers and to conduct work conversations without being easily overheard.
- When using a company-owned device, keep it locked or turned off whenever you are not with it, and never allow others in your home to use it for any reason.
- If using a personal device for work, create a separate, password-protected user profile to access company data from. Do not allow others to use this profile.
- Keep any work papers or confidential information in a safe, preferably locked, place.
Home Network Performance
Home networks, including your internet service, are typically not as reliable as your office IT systems. With the additional load of millions of users across the nation trying to do the same things you are, you will likely face performance issues when working from home. Since home internet often isn’t as fast as your work connection, video conferencing may flake out and remote connections to your office network or devices may lag. The more people taxing your internet with activities such as online learning, streaming, gaming, or video chatting, the more likely you are to have performance issues.
Due to the increased need for high-speed internet to accommodate the sudden influx of both home-based work and schooling, some internet service providers (ISPs) are offering additional speeds for those with no or limited internet access at no extra cost. Others are removing data caps and related fees for those on fixed data plans. If you think you might qualify, contact your ISP for more information.
Home Network Security
Performance isn’t the only potential issue with a home network. Security is a big concern when connecting to the office network from home. Besides the obvious security measures such as having patched, up-to-date computers with strong anti-virus/anti-malware protections, here are a few more tips to securing your home network.
- Update router firmware if needed.
- Make sure Wi-Fi has WPA-2 or higher encryption with a strong password (not the default).
- Update firmware in all IoT (Internet of Things—smart thermostats, cameras, etc.). IoT is often more vulnerable to attack and has been used to infect home networks.
- Never use default passwords on any internet-connected device.
- Remove or deactivate all browser extensions not necessary for work. They might seem helpful, but many have tracking embedded in them and some are vehicles for malicious code.
- Use multi-factor authentication (MFA) whenever available.
Training & Communication
While knowing how to spot phishing and social engineering attacks is essential to network safety, that’s not the only kind of training those who work from home should receive.
Review relevant security and office policies and ensure that you know who to contact if an issue arises. What problems can be resolved by office staff or a coworker, and what problems need to go to IT experts? Work efficiency will suffer if you continually contact the wrong people to resolve your problem. Consider partnering with another team member to check in about potential suspicious activity or emails before reaching out to an IT professional. You may not be alone in experiencing an issue or threat.
We’re already taxing our systems and IT personnel; don’t give criminals the edge. Be even more vigilant at home. It’s easy to become relaxed in your own space, but those with malicious intent are also working overtime to capitalize on our situation.
Learn all about phishing and how to prevent your employees from clicking on a dangerous lure in Anderson Technologies’ new phishing explainer.
Even managed service providers receive scam emails and phone calls.
These serve as a reminder that education on phishing, scareware, and ransomware is an ongoing process, one that even IT experts need to stay sharp on.
But let’s assume you aren’t an IT expert. How can you best determine the validity of these messages and if they have malicious intent?
As with any learning process, practice is important. You may want to start with our phishing quiz. Know where you stand with gut instinct and some important clues.
Whether the attempt is made by email or phone, there is always something just a bit off about a phishing attempt. The phisher may have some accurate personal information—like your name, or the fact that you have Yahoo! email or an AT&T phone account—and see if you’ll take the bait.
It is easy to panic at the threat of suspension or an overdue bill and put aside any unease because of the urgent matter apparently at hand. This is exactly what phishers and scammers hope will happen.
The goal of these calls or emails is to collect even more information about you, fleshing out a profile for future scams, which the phisher can sell to other scammers, or—the jackpot—to collect banking or credit card information and cash in.
Because these phishes do have some truth mixed in, many do fall victim.
It might sound like an episode of Black Mirror—in fact, the tactics used in this blackmail email are eerily similar to those dramatized in a recent episode of the Netflix series depicting fictional futures—but scammers are now using direct emails as a method to extort information or Bitcoin from unsuspecting users.
About a month ago, Mark Anderson, Principal of Anderson Technologies, received a blackmail email scam. “As you could probably have guessed, your account was hacked, because I sent message you from it,” the scammer began in broken English. They first boasted by showing an unencrypted old password—probably acquired from Yahoo’s 2013 data breach.
The email continued to outline the threat. “Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we’ve created.” This virus, they suggested, gave them access to “messages, social media accounts, and messengers.” This apparently wasn’t enough intimidation for most scam victims, because the email then amped up the threat.
Users all over the internet report similar threats; the scammer creates a scenario that, if true, would serve as ample motivation to give in to their demands. The scammer says that video of the user was recorded while visiting “adult websites,” and that, unless 700 dollars is transferred to the scammer’s Bitcoin wallet within 48 hours, this footage would be released and they would “show this video to your friends, relatives, and your intimate one…”
So, with a relatively low payout amount, and a previously accurate (but very old) password, how did Anderson know this threat was a scam? He knew what they’d accused him of was false, not to mention he didn’t have a webcam as they’d suggested. But other clues included:
- While the email appeared to be sent from Anderson’s old account, this can be accomplished through spoofing.
- The password they listed was not the current (or even recent) password for that account.
- Broken English isn’t always a giveaway but combined with the generic threat, it seemed like a form letter.
- Googling some of the email text brings up threads of other users exposing the scam. We’ve censored some of the less savory aspects of the original email, but the full text and break down can be read online.
If you receive this email or a similar threat, your first step should be to research the threat online or reach out to an IT expert. Never pay a blackmail, ransom, or other request for money. Instead, update your passwords, run anti-virus and anti-malware scans on affected devices, and consider implementing multi-factor authentication on your accounts in order to bolster your security profile.
Phishing and spear-phishing emails are an ever-present problem to businesses, and the criminals are only getting better at fooling people. Understanding and being able to spot phishing and spear-phishing emails is a vital part of employee training at Anderson Technologies. But reading about how to spot them and actually spotting emails are different things.
Worse yet, the phishing websites those email links go to often appear legitimate, right down to having the secure lock icon in the browser. In their 2018 1st Quarter Report, the Anti-Phishing Working Group notes that “more than a third of phishing attacks [reported to them] were hosted on web sites that had HTTPS and SSL certificates.” They attribute this in part to the fact that consumers believe they can trust all HTTPS sites, or they at least recognize a site without encryption asking for personal or financial information is not secure.
It’s vital to know whether your email is a legitimate business interest or a scam hoping to trap you, but how confident are you to do so? Take our quiz to see if you can tell the difference between a legitimate email and a fake one.
Hopefully you were an expert phisherman, but if not, it’s not too late to brush up on some basics.
- Know what you’ve ordered and who your vendors are. If you didn’t order anything from the person, don’t trust their emails.
- Always check the sender’s address before clicking on links or attachments, even if it looks like a company you trust.
- Read the email completely before clicking links. Poor grammar or obvious spelling/branding mistakes are key signs of phishing emails.
- If you’re unsure if an email is really from a company you trust, go to their website manually, not through a link provided in the email. If it’s real, you can look up the information through your account, and if not, you’ve just protected yourself.
- Don’t panic! Urgent calls for action to avoid loss of service or legal action are meant to upset you. Don’t let them. Read everything carefully and verify there’s a problem by using the service mentioned or calling the company using the number on their website, not in the email.
- If all else fails, Google it. These emails are widespread and a quick Google search will most likely bring up a hundred different people receiving the same fraudulent email.
If you’d like a refresher course on e-mail safety, contact Anderson Technologies to schedule an employee cyber security training seminar. Reach us by email at firstname.lastname@example.org or by phone at 314.394.3001.
Email-delivered threats have increased drastically over the last few years. Even businesses with enterprise-level email services and employee training can fall victim to creative manipulation. To battle this, Anderson Technologies offers a solution that protects email when other systems fall short.
Imagine turning on your work email to find a message from your biggest client. “If we get one more spam email from your accounts, we will stop doing business with you.”
How can this be? You pay for managed services, educate your employees on email security, and even recently upgraded your email services. How could something like this happen? Sure, your employees have received some suspicious-looking emails in the past, but there’s no way that could seep into your client interactions.
Except that’s exactly what happened to Intrante.*
According to Farica Chang, director at Anderson Technologies, the system administration team was able to trace the outgoing spam to a single “malicious phishing email that successfully executed code inside two employee Outlook applications.” The malware set up email rules that “hid its behavior from the users and began spamming everyone in their address books with email sent through their accounts.” Those emails not only went out to every internal company inbox but also to many clients and vendors.
Intrante couldn’t afford for this to happen again. Imagine this happened to you. What would you do?
Upon learning of the spam coming from Intrante’s accounts, senior systems administrator at Anderson Technologies, Luke Bragg, immediately took action. “The first thing we did was reset the passwords for the suspected accounts that were compromised,” he said, thus cutting off further access from cyber criminals. “From there we started digging into the accounts to see what other data or settings had been maliciously modified.”
Once the scope of the incident had been uncovered and repaired, Bragg and his team needed a stronger email spam filtering solution to implement to prevent a similar incident from occurring in the future.
He looked to the August 2017 study from SE Labs, which analyzed email threat protection services. This data made it clear—while many popular email services catch spam and phishing attempts, messages still slip through the cracks. Three email filtering services analyzed by SE Labs received their “AAA” rating: Mimecast, Forcepoint, and Proofpoint Essentials. While all three provided excellent coverage, only the last service achieved a 100% accuracy rating.
Proofpoint inspects both inbound and outbound emails. According to the SE Labs study, not only does Proofpoint quarantine or send threats to junk mail, it stops or rejects threats before they reach the user. If URLs are present in an email, Proofpoint’s system opens every link inside a controlled sandbox environment. “This action and analysis allows it to determine if the link is legitimate and safe before it releases the email to the recipient,” said Chang.
In addition to its stellar record, Proofpoint’s four subscription tiers also offer features that many clients of Anderson Technologies request. An Essentials Business account gives access to most of Proofpoint’s features, but the Advanced and Pro levels include email encryption (and along with that, HIPAA and PCI compliance) and social media account protection. Pro also offers a tamper-proof, off-site, unlimited (10 year) email archive.
With this distinctive solution, Anderson Technologies’ managed services team brought their answer back to Intrante.
According to Bragg, “email threats are extremely common, and probably one of the most targeted systems.” Email is the perfect delivery system for malware, spam, and phishing campaigns, all of which saw an increase in 2017, according to Symantec’s Email Threat Report. Email can be utilized by bots, entities with malicious intent, and acts (unintentional or intentional) by authorized users to spread these threats.
Even educated employees can miss the subtle tricks of an effective spammer.
Phishing emails may look and feel like they come from a well-known company, like Amazon, Apple, PayPal, or UPS. Frequently, these attacks ask the reader to “click here to log in to your account,” providing login information to a wolf in sheep’s clothing. These attacks are easy to mass generate and make money for the perpetrators even if only 1 in 100 falls for the trap.
According to Symantec’s Email Threat Report, “one out of every nine email users encountered email malware in the first half of 2017!” These emails typically offer an attachment disguised as an invoice or other important document. These may appear to be sent from other employees and may even be routed through their real email addresses.
Malware-spreading emails typically urge the reader to act NOW, inhibiting the thought process through urgency.
Another vulnerability tied to email is information hacking.
Even comparably low-value targets can provide lucrative information to hackers—information like other user names, passwords, client information, industry secrets, or proprietary data. Email is as insecure as a postcard. As long as it is only read by the intended recipient, your message is moderately safe. Even so, never send passwords, financial credentials, Social Security numbers, etc., in a plain-text email. Once in the wrong hands, unencrypted email is easy to read.
Don’t be fooled. “Even with additional layers of filtering and security,” says Chang, “there will always be malicious emails that get through. Teaching employees to be wary and practice caution is the best defense.” Take advantage of education services like free seminars, or Anderson Technologies’ free ebook on cyber security.
Email may be the perfect vehicle for bad actors to find their way into your network, but you and your business don’t have to be a victim. With spam monitoring and encryption services like those offered by Proofpoint, a mistake or foolhardy action doesn’t have to mean the destruction of your business.
Anderson Technologies strives to ensure the IT products and tools it recommends are fully vetted and employed internally first. Principal Mark Anderson reports that after implementing Proofpoint Essentials, his junk email count has dropped by over 90%! According to Symantec’s Email Threat Report, an estimated $1,177.42 annual cost for the time one employee spends managing spam.
Bragg recommends a layered approach to email security. The first layer being perimeter protection with a good hardware firewall that has additional malware and intrusion defense capabilities. From there, Bragg notes the importance of enterprise-grade anti-virus software on all workstations and servers. It is important that this software be closely monitored and updated to truly be effective. The final layer is spam filtering, and for that, Anderson Technologies recommends Proofpoint.
Of course, there is also user training, which is “challenging,” according to Bragg, “but necessary.” Even for businesses that are confident in their employees’ cyber security training regarding email, Proofpoint brings operations closer to a Zero Trust mindset, truly making your operations secure.
*Names have been changed to protect the identity of the business and its executives.